Who is F5?

EMEA Phishing Patterns: Insights from the F5 SOC

Lori MacVittie

Published March 23, 2016

It’s no secret to those who engage in actual fishing (for real, live fish) that timing matters. Certain types of fish are more active and thus likely to be caught in the morning, others in the evening, and still others in the early afternoon.

It turns out that digital phishing is no different, if we’re to interpret the patterns exhibited by those conducting such activities based on statistics collected by our F5 SOC in 2015 from phishing attempts made against financial institutions across Europe, the Middle East, and Africa (EMEA).

TIMING MATTERS

If you want to avoid being caught by a phishing attack in EMEA, it turns out the best day of the week to conduct financial business would be on Saturday. Only 5% of attacks occurred then in 2015, with Friday and Sunday being your next best bet, with only 12% occurring on either of those days.

Monday’s bad reputation holds true as more attacks were seen on Monday (20%) than on any other day, though the rest of the business week doesn’t fare all that much better. It’s no surprise that financial institutions see more attacks on average during the work week than on the weekends considering research from IDC indicates 30-40% of Internet access time in the workplace is spent on non-work related activities[1].

This is further reinforced by data showing that most phishing attacks are occurring during business hours.

During 2015 it was also 200% more likely you’d see a phishing attack at the beginning of the month rather than at the end. Phishing attacks peaked during the first week of the month and then tapered off, with predictably higher activity during week days and lower activity on weekends.

Not unsurprisingly, across the EMEA region most employers extract employee salaries either at the beginning or the end of the month. F5 SOC experts note this combined with the 46% average online banking use across the EU[2] is likely the reason we see a sharp rise in attacks during the beginning of the month as employees log in to their online banking systems to pay bills or check if their salaries have been deposited yet.

CHOOSING THE RIGHT LURE

When fishing in the physical world no topic is as contentious which lure is best. Colors, size, motion, and how closely the lure mimics the “real” world are important factors. After all, we’re trying to convince the fish that the lure we’re using is a real in the hopes they’ll bite. The same is true of the lures and sites used by phishers of financial data in the digital world.

It turns out that just as fish take a lot to be convinced, so too do potential phishing victims. The F5 SOC found that on average it took 9.14 visits to a fraudulent page before someone took the bait.

Experts spend a lot of time evaluating discovered fraudulent sites in order to glean as much as they can about the phishers and their techniques. It turns out they can tell a lot about attackers by the URLs used in phishing attacks. During 2015 it was noted that 1 in 10 fraudulent sites were either hosted in the root direction without any additional path, e.g. www.phishingsite.com or www.phishingsite.com/index.html, indicating that the servers were prepared specifically to host fraudulent sites. That means they were likely purchased specifically for phishing attacks. Typically, attackers will hack and inject an existing site with malicious content, so this move is disconcerting as the setup of the site is not prone to detection by other preventative means, such as web application firewalls.

It is not surprising to find that 15% of fraudulent sites were hosted in Word Press folders given the number of severe vulnerabilities reported to be plaguing the popular system in 2015. Unpatched and/or unaddressed vulnerabilities are easily exploited by those looking for a place to host their malicious code and fraudulent sites.

Additionally, F5 SOC experts note that 20% of URL paths were generated dynamically on a per-victim basis, making it difficult to block with traditional security measures. This also contributes to the average time it took in 2015 to remove or shut down fraudulent sites.

The good news is that it takes less time to take down a fraudulent site when end-user credentials have been stolen. The bad news is that in the intervening hours that many users remain unprotected and thus unaware of the potential danger.

The F5 SOC recommends monitoring of domains with similar naming to official ones in order to decrease time between establishment and detection. Many fake pages, even though not necessarily hosted at domains with similar names contain official strings in the attacking URL. In general, F5 SOC recommends searching the Internet for these specific words. Phishing attacks targeting financial institutions located in EMEA tend to be most active during business hours, Monday through Thursday. Time is key to prevent consumers from becoming victims of credential theft, so it is important to have all fake pages analyzed and shutdown as soon as possible.